1. create an executable C program named* setest* to create , read and write* hello.txt*. 2. push the setest to /data. root@grouper:/data # ./setest ----this will create hello.txt in /data 3. add setest.te in external/sepolicy :
setest.te type *setest*, domain, mlstrustedsubject; type *setest_exec*, exec_type, file_type; permissive setest; domain_auto_trans(shell,* setest_exec, setest*) #I think I execute the setest by ./setest , so it can be transform from shell to setest. auditallow *setest * *sec_file *: file rwx_file_perms; 4. add new context to the file_contexts. /data/*hello.txt* </data/hello.txt> u:object_r:*sec_file*:s0 /data/*setest* </data/setest> u:object_r:*setest_exec*:s0 5. add new type in the file.te #/data/hello.txt type* sec_file*, file_type, data_file_type; 6. compile the policy and adb push sepolicy, file_contexts,"seapp_contexts",'service_contexts','property_contexts to /data/security/current. copy /selinux_version to /data/security/current. root@grouper:/data/security/current # setprop selinux.reload_policy 1 root@grouper:/data/security/current # restorecon file_contexts reboot ------------------------------------------------------------------------------------------------------------------- *but the result is :* root@grouper:/data # ls -Z -rw------- root root u:object_r:*sec_file*:s0 *hello.txt* -rwxrwxrwx shell shell u:object_r:*system_data_file*:s0 *setest* the type of *hello.txt* is I expected as *sec_file* but the type of *setest is not **setest_exec* -------------------------------------------------------------------------------------------------------------------- please help me, thanks advance.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
